Posted
by
ScuttleMonkey
on Friday May 15, 2009 @01:46PM
from the always-declaring-war-on-something dept.

Several users have pointed out a recent request to technology companies from the Defense Information System Agency for ideas on how to build an e-mail defense system to catch spam. The solution would have to scan about 50 million inbound messages a day across some 700 unclassified network domains. "Defense currently scans e-mails for viruses and spam coming into systems serving the military services, commands or units. DISA wants to extend the protection to the interface between the Internet and its unclassified network, the Non-classified Internet Protocol Router Network. The agency also wants the ability to scan all outbound e-mails from the 5 million users. [...] DISA's request ties in with recommendations that the Defense Science Board issued in April that said Defense is more vulnerable to cyberattacks because of its decentralized networks and systems. The board envisioned a major role for DISA in developing the architecture for enterprise-wide systems."

But then how will I be able to refinance my mortgage while getting that penis enlargement using the money I won in the British lottery?

I'm convinced that the only real solution to spam is to find the people who are stupid enough to buy the products offered via spam and beat the ever living shit out of them. The spammers wouldn't keep doing it if people didn't keep buying their shit.....

I've experienced a recent oddity. My public gmail account still traps and disposes of the usual range of adverts for pilules, fortunes from various dubious sources, and enlargement schemes. My business address has been suddenly deluged with adverts for otherwise-legitimate products; for example, garden plants and seedlings from known nurseries; "art" tchochkes from various "limited edition" emporiums, and golf and fishing equipment, and camping gear from known sporting-goods outlets. My server traps and bla

The most described system is 'an orbiting tungsten telephone pole with small fins and a computer in the back for guidance.' The weapon can be down-scaled as small as several meters long, an orbiting "crowbar" rather than a pole.

The time between deorbiting and impact would only be a few minutes, and depending on the orbits and positions in the orbits, the system would have a world-wide range. There is no requirement to deploy missiles, aircraft or other vehicles

After a month, choose several random spammers as targets to "test the efficacity of our cyberwarfare teams"

You assume that spammers have a network to attack. I assure you, they do not. All this spam is coming from large networks of zombie machines. To launch a cyberattack on the source of the spam would effectively be a scorched Earth tactic. It might get rid of your spam, but it will also get rid of the architecture you're defending...

Another idea: when anyone signs up for an account with an ISP, they put a small amount of money (let's say $10 just for sake of argument) in escrow. If their accounts are terminated because they violated their contract with the ISP, the escrow is forfeit to the ISP. If they terminate their account normally, the escrow is returned to them.

Now for most people, putting up $10 once when they sign up for internet service isn't a problem and they're going to get that back when they stop using that ISP. But th

Great, and then there will be secret abductions of spammers who are sent to Guantanamo without trial or hope of quick appeal. There will be water boarding and sleep deprivation and acts of humiliation.

I don't understand why routers can not be programed to limit the number of emails it receives from a single source. For example, if a router detects that 10,000 emails are coming from a particular host, treat that host as if it's perpetrating a DOS attack. Routers can be programmed to ignore DOS attacks, why not use the same tech to block massive spamming?

Because spam doesn't work that way anymore. It comes from botnets where each individual zombie only sends one or less messages to the target and need only send out 20 or 30 each day total to still be effective.

Because spam doesn't work that way anymore. It comes from botnets where each individual zombie only sends one or less messages to the target and need only send out 20 or 30 each day total to still be effective.

First, I wonder about the 20-30 messages a day bit. There are roughly 150 billion [mywot.com] spam messages sent daily. There are 6 billion people on the planet. In order for your 20-30 messages a day number to be correct, that would every man, woman, and child on the earth would need a computer and every single one of them would be part of a botnet.

Next, if we are assuming that your 20-30 number is correct, I assume many of these messages are identical or similar enough to be identified. I know I get several repe

Companies that send out legitimate mass emails would need to be added to an "allow-list".

Who defines "legitimate"? I'm sure that (if they could get away with it) some people at Microsoft would say that messages to the Linux Kernel Mailing List or from Apple are not legitimate mass emails, and I'm sure there are some fanatic followers of Linux or Apple who would say the same thing about any emails sent out from Microsoft.
Who determines which companies are allowed on the "allow-list"?
Can companies be remo

First, I wonder about the 20-30 messages a day bit. There are roughly 150 billion spam messages sent daily. There are 6 billion people on the planet. In order for your 20-30 messages a day number to be correct, that would every man, woman, and child on the earth would need a computer and every single one of them would be part of a botnet.

You make the error of assuming spam sending is distributed evenly. Compromised systems at large corps and government offices can easily send many orders of magnitude more spam and still get lost in the noise of legit email from their sites.

There are only so many routers that lead into the US, set these up to monitor email traffic (is it port 22? 25? I don't remember)... and look for patterns.

That's an increase in workload that is many orders of magnitude larger than what even the largest routers do now. Furthermore, the US has the second highest zombie infection rate in the world, so border routers aren't all that useful and sending the cops after people wi

That's because you want a router to do something it doesn't care about. That would require full layer 7 visibility on the router - then it wouldn't be nearly as good at doing what its supposed to: routing.

Most routers rarely look above layer 3. Occasionally they'll do some layer 4 stuff, but that is best left to firewalls or load balancers.

Would it really require "full layer 7 visibility on the router" to count the number of port 25 messages coming from each host? I would assume the biggest problem would be the memory involved in counting the messages and keeping that count in RAM for each and every host, keeping track of which hosts are blocked by each router and every other router (national database) and securing the system so that some hacker can't get in there and put every Microsoft IP into the black-list.

Counting connections themselves is pretty near useless, as SMTP is designed to allow single connection to dump large amounts of separate email. Often cases you'll have SMTP connections from places like hotmail or gmail connect once and dump dozens/hundreds/thousands of emails. This happens even more for mailing lists.

It can be done, but not at the router level. This is why appliances such as Ironport exist.

If only it were as simple as "Host X sends spam -> block Host X." The problem is n clients of host X are zombies sending spam while the other y clients are legitimate users. So, sure, you can block my ISP because of the clients that are sending you spam, but then I couldn't send you an E-Mail either, and I actually DO know the secret to penis enlargement.

i think it would be easier if the ISPs start blocking any email coming from non-corporate users. If you want to have an email server at home, ask your ISP to unblock the port.
Then, all the grandma-zombie-computers will be unable to send spam.

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses(X) Mailing lists and other legitimate email uses would be affected( ) No one will be able to find the guy or collect the mone

Legitimate mass mailers would require a registration to be placed on an allow list. Of course, spammers need not apply. Licensing fees could even be charged for this list to pay for the program, but that may not be fair.

(X) Many email users cannot afford to lose business or alienate potential employers

Like who? Spammers? If you send less than, say, 10,000 emails a day, you shouldn't have to worry about anything. If you do legitimately send that many emails, see my response to your previous complaint.

(X) Open relays in foreign countries

How many "pipes" are there at US borders? Put filters on all of these.

As a sibling post pointed out, this checklist is used whenever there's discussion of solutions to the spam problem.

(X) Mailing lists and other legitimate email uses would be affected

Legitimate mass mailers would require a registration to be placed on an allow list. Of course, spammers need not apply. Licensing fees could even be charged for this list to pay for the program, but that may not be fair.

What if I'm a legitimate mass mailer who, say, wants to organize political protests? Who may not want their activities on a government list?

Machines that have been zombiefied would be cut off from the web at the router level. They will be allowed back on once their ISP can verify they have been de-zombied.

How long do you think AT&T and other broadband ISPs would put up with this? All the customer sees is "My Internets is broken. $ISP sucks, I'm switching." Also, if there's a 10000 per host limit (over a particular period), 9999 * 10 million is a pretty s

I don't understand why routers can not be programed to limit the number of emails it receives from a single source.

If you're asking whether a router can can impose limits such as the number of simultaneous connections allowed from a given host, or the rate at which new connections are established, then yes, that's perfectly do-able and good sense for not just SMTP traffic. Restricting the receipt of email messages, however, is a very different problem as has already been pointed out. That's not to say tha

Seriously, it's less than two dozen guys pumping out 90% of the spam in the world. I would guess that the law enforcements and militaries of the world should just do their jobs and apprehend these criminals.

I'd certainly appreciate real action like getting rid of spam than for the CIA/US Military to spend time chasing down far fetched terrorist plots. I'm constantly stunned that given the damage spam creates, special branches aren't more active in tracking and _eliminating_ the sources of these things.

I was a bit off by saying less than two dozen, but I wasn't off by that much. Spamhaus [spamhaus.org] says 200 heavyduty spammers are generating 80% of the spam in the world.

The numbers I had in my mind are an outdated estimate I've heard a couple of years back. It's good to remember to question information and it looks like I forgot about keeping my assumptions up to date...

I'm constantly stunned that given the damage spam creates, special branches aren't more active in tracking and _eliminating_ the sources of these things.

But no one yet understands the damage spam creates except for those of us with an IT bent. Back in WWII days and directly after, Radiation was your friend. It could do everything for the man of tomorrow! The first people to learn how dangerous it really was were the scientists getting really bad radiation poisoning and cancer. Even after that, it took a while for the public to switch from Radiation==Good to Radiation==NotGood, and even then, they over-simplified to the point that people still fear irradiated foods (which are not radioactive).

What we need are some public service announcements: "Unrequested mass mailings use our nation's internet bandwidth, reducing our GDP, making it easier for the terrorists to win, and have a carbon footprint equal to 5,000,000 cattle, a Rush Limbaugh, and a Michael Moore. You can do your part to help! Change your email default viewing to 'text only' so you don't load their images. Stop clicking on their links. Send them to your junk folder. Report them if your email system has a spam-reporting function. Like Spamsy the Cat says: 'I may be lazy, but even I can stop spam just by doing nothing!'"

Well, you are clearly over the top, but the best way to fight spam is with education.Don't pass it on, recognizer something questionable, what to do if you gt something questionable, and some things you can do to prevent SPAM.No product recommendation from any for profit Anti-virus/spam products.

I would guess that the law enforcements and militaries of the world should just do their jobs and apprehend these criminals.

To go a step further, what happens if it can be determined that the spammers are enemy combatants waging war against the United States infrastructure?
In other news today, US Military Drones attacked 200 hundred spam headquarters in coordinated action last night. Anti-war protestors took the streets by the thousands to show their support...

I know a workplace where they set up a bounce-and-confirmation system, so that mail from non-confirmed e-mail addresses was bounced, asking to reply if this was a real human. When it got the reply, the address was added to a whitelist.
The person working there said to me that he got zero spam after the implementation. Probably becouse almost all spam has a forged from header and/or is not able to receive and reply to incoming mail.

The only military email system that I've sent mail to used this, and some sort of system similar to/.'s Lameness filter. It took me three emails to get one message to one recipient. Annoying as Hell, and I almost gave up. Did the person you talked to give numbers on how much real messages were reduced?

This can be fixed with "white words" - certain things that are unique enough to the type of email that you might get to be considered a pre-confirmation. This is particularly important for getting electronic receipts - as the servers sending those out aren't going to participate in a challenge response. But they're pretty likely to have used something like your name, zip code, or other piece of text you don't find in Spam very often.

Likewise, using a subject line code word can allow humans to send more gen

Oh, so you are now a source of spam and back scatter since every single email address that sends a message to you (forged or otherwise) you reply to it as it were a legitimate message. Thanks for contributing to the problem and making it more likely I will not ever contact you via email. One of the reasons e-mail became so heavily used and therefore depended upon is the ease of communication. If you require a manual or auto (like yourse) moderated permission to communicate I guess I will just have to go to

One of the parents on a soccer team I was coaching had that. There was some glitch, and I started trying to work through their crappy system until I thought, "why should I go to this extra effort for somebody else's convenience?" So I didn't.

Also, a friend's yahoo account was compromised, so I started getting email "from him" (except not really). Not even whitelisting protects you then. (But the worst part was, my "real" email address was in his contacts list, so after 7 solid years, it was compromise

That's old school. Considering the from address is usually faked in suck large quantities, you will get SPAM from people on your whitelist.This was a good solution years ago, and it's is a good step now, but it's effectiveness is limited.

For this rare instance I would certainly condone a few black ops. Find the people who are responsible, capture them, torture them and if they are bad enough, kill them. When there is money involved, it should be trivial to follow that money back to the people who collect it.

This also gives me a great idea for a movie sequel to "Taken." '...I have a very special set of skills... I will find you and I will kill you.' '//good luck//'

Yah, but the US bases only use the Wishy-washy tortures like stress positions (which, according to Army Lawyers quoted in the report on torture is probably a violation of the UCMJ and possibly torture)

I wanna see these guys put into iron maidens, and their balls shocked with electricity until they turn black and fall off. Slowly cut after cut administered to their skin.... oh yah take that spammers!

Obviously they will spend a bunch of money, and it won't be 100% effective. But if you have 5 million users, and it costs an average of $100/hr to keep each of them, a significant reduction in spam is worth paying good money for.

approach to fighting spam. The idea will not work. Here is why it won't work. (One or more of the following may apply to this particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses(X) Mailing lists and other legitimate email uses would be affected( ) No one will be able to find the guy or collect the money( ) It is defenseless against brute force attacks(X) It will stop spam for two weeks and then we'll be stuck with it(X) Users of email will not put up with it( ) Microsoft will not put up with it( ) The police will not put up with it( ) Requires too much cooperation from spammers( ) Requires immediate total cooperation from everybody at once(X) Many email users cannot afford to lose business or alienate potential employers( ) Spammers don't care about invalid addresses in their lists(X) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it( ) Lack of centrally controlling authority for email( ) Open relays in foreign countries( ) Ease of searching tiny alphanumeric address space of all email addresses(X) Asshats( ) Jurisdictional problems( ) Unpopularity of weird new taxes( ) Public reluctance to accept weird new forms of money( ) Huge existing software investment in SMTP(X) Susceptibility of protocols other than SMTP to attack(X) Willingness of users to install OS patches received by email(X) Armies of worm riddled broadband-connected Windows boxes(X) Eternal arms race involved in all filtering approaches(X) Extreme profitability of spam( ) Joe jobs and/or identity theft(X) Technically illiterate politicians( ) Extreme stupidity on the part of people who do business with spammers( ) Dishonesty on the part of spammers themselves(X) Bandwidth costs that are unaffected by client filtering( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to this are easy to come up with, yet none have everbeen shown practical( ) Any scheme based on opt-out is unacceptable( ) SMTP headers should not be the subject of legislation(X) Blacklists suck( ) Whitelists suck(X) We should be able to talk about Viagra without being censored( ) Countermeasures should not involve wire fraud or credit card fraud(X) Countermeasures should not involve sabotage of public networks( ) Countermeasures must work if phased in gradually( ) Sending email should be free(X) Why should we have to trust you and your servers?( ) Incompatibility with open source or open source licenses( ) Feel-good measures do nothing to solve the problem( ) Temporary/one-time email addresses are cumbersome(X) I don't want the government reading my email(X) Killing them that way is not slow and painful enough

Furthermore, this is what I think about them:

( ) Sorry dude, but I don't think it would work.(X) This is a stupid idea, and they're stupid person for suggesting it.( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

The thing that most people don't get is that the spammers are known. We know where they are, we know who they are, and how they work. Cash does get traced, and it can't be hidden all that well.

The problem is that most of these cretins are either in countries that have governments that don't care, have no laws against this, or have better things to do. In some cases, they are, or have purchased the government.

So, since we know who they are, where they are, and many of the details, the solution is simple.

How many more times can i explain this, the ONLY foolproof model, is to charge per email sent, even if it is.01 of a cent, this will force not only the bad guys to spend money, and leave a paper trail for those using their own servers..which will then tend to up the bids and make alot less sense to use spam to send advertising per capital.

This would also be a quick sure way to let someone know they have been compromised, they could havea first offense 100$ cap for emails sent from their PCs, then 500$ cap

How many more times can i explain this, the ONLY foolproof model, is to charge per email sent, even if it is.01 of a cent,

I'll second you on this. As much as I love Free - and Free really is and always has been one of my most favorite things - an economic solution to this is by far the best approach to this. Give the money to the person receiving the e-mail - e.g. you pay me to receive your message - and I can use that as credit against e-mails I send myself. Then I might even accept that crap - before

Yeah there's a solution, it's cheap, and it's even explicitly in the Constitution: get Congress to issue Letters of Marque.I'm sure there are plenty of people who would take care of the problem for free, if only they got suitable permission.

Simply make an e-mail whitelist for that network. It's not that hard. Deny all external emails except for external authorized users (IE They're logged into the network thru a VPN or something) and basically deny any email outside of defined IP addresses. That should cut about 90% of your problem.

Wanna kill the other 10%? Get your network offline and keep it to internal usage only.

As evil as it sounds for a big evil organization to partner with another, Google's spam filtering technology on gmail is pretty damn impressive,. I get about 2000 spam messages in 30 days on one of my multiple gmail accounts. I rarely have a false positive or false negative.
I'm sure Google's mail filter is just an over glorified Bayesian filter, but with over 100 Million users contributing to the "This message is spam" list to help build the filter you couldn't go wrong. Hell, if Google gave me the option

The only solution is to make a system that uses a whitelist. But whitelists suck. So we need a whitelist that doesn't suck.

The first step is to have all the email clients start digitally signing emails. It is trivially easy to forge the headers on an email, so it would be stupid to trust them for identity information.

The second step is to have email servers check the identity against the whitelist. If the digital signature is invalid, or the credentials are forged (message was digitally signed, but the announced public key of the sender doesn't match) the message is trashed, with no error message sent. If the signature checks out, but the sender was not on the whitelist, the message bounces back to the sender, with an explanation ("you weren't on the whitelist, sorry").

Okay, but whitelists suck. If my best friend from college wants to track me down and send me an email, I want him to be able to do that; but I don't know his email so he's not on my whitelist. So, we need a solution to this problem.

My proposed solution is that your email server should advertise a list of ways that you will accept to bypass your whitelist for a message. One possible way: attach a micropayment of five cents. Another way: attach a certificate showing that your computer worked for an hour on some worthy problem like protein folding at home or something. Another way: here's a URL of a web page; it contains some riddle... attach the answer to your email. I'm sure you can think of other schemes to make it possible for a friend to bypass your whitelist while not enabling zombie Windows clusters to spray spam into your inbox.

There are other refinements possible. Your whitelist can accept, not just individual signatures, but "badges" from some organization. So, anyone from Mozilla.org can attach a Mozilla.org badge to their emails, and I can allow all Mozilla.org emails through. IEEE member badge, SourceForge.net badge, Apple.com badge, go nuts. Even an organization of "I Swear I Will Never Send Out Spam". The key with the badges is that, if you get kicked out of an organization, you have to lose access to the badge. One simple way would be for the check to be live: if you attach a Mozilla.org badge, the Mozilla.org server had better agree that your identity is one known to it.

The current email system is a "Default Permit" system (the #1 dumbest idea on this list [ranum.com]). It has to change.

This system would run on the infrastructure we already have, with a few additions. You could have one account with the whitelist, and another account without... but the one with the whitelist is the only one that pages you, or whatever. The important thing is that this doesn't require everyone in the whole world to adopt it before it starts to become useful. Mailing lists would still work, because when you sign up for a mailing list you would add that mailing list identity to your whitelist (probably a badge, such that members of the mailing list are then cleared to email you directly, through the badge).

Someone may claim that validating public key signatures is computationally expensive. No, not compared to running complicated heuristics over the content of a message, trying to guess whether it's spam or not (SpamAssassin and other systems). With this system, the server doesn't attempt to classify a message. Either it passes the whitelist, it's bounced back to the sender, or it's deleted. Done.

Now, if you have found a hole in this idea, you will score bonus points by explaining how to fix it, not merely pointing out that I am an idiot.

If my best friend from college wants to track me down and send me an email, I want him to be able to do that; but I don't know his email so he's not on my whitelist. So, we need a solution to this problem.

Publish/share whitelists. You haven't whitelisted your friend, but somebody has. Find 3 people who say "this guy is not a spammer," who themselves (recursion alert!) are not spammers.

In other words, guess their spammer rep the same way you guess whether or not to use an OpenPGP key that you haven't pe

9 servers. 50 million messages a week. Those 9 servers cost maybe $3,000 each. We have 9 servers because we want some redundancy. So let say you multiply that by 7. So you get ~50 machines to handle the army's volume. $150,000. Plus all the extras, so multiply that by 6. That's about a million dollars.

Seriously? From the article they say it would cost $100 million. Do you really think that is going to cost $100 million dollars? Seriously?

Ok, now you can't just stand up 50 machines to handle email. They have to be coordinated (and load-balanced).

Plus you have to have test and dev boxes. (Because you aren't doing that on live boxes, right?)

So, lets add a few high-end ethernet switches in. And don't forget things like DNS boxes (to cache, so you have decent performance for all the DNS lookups most spam systems do these days), and a few really high-end firewalls. Oh, and racks to mount these all in, plus cabling. And a power supply. (Not the ones in the boxes, the one outside the building converting the mains power to 110. You'll need at least one extra.) Oh, which reminds me: Better have a backup generator. And a failover UPS for the whole place.

Heck, you may need a new building to put all this in. Which will need an HVAC system, of course.

Oh, and those machines won't run themselves. So you'll need to hire a few people; fairly qualified admins.

And it's a decent-sized team, so remember to fund their manager, and possibly an HR person for them too.

We haven't mentioned the actual data line yet. It's going to have to be a big one, probably installed especially for this. Oh, and you'll want it redundant. So, make that two. (And better remember how much it is going to cost just to negotiate for those lines: That's several man-months of time, most likely.)

Of course, we haven't talked software yet: Likely you'll want Unix/Linux, but for this you'll probably want an official support contract. Which covers the OS. We'll also want one on whatever anti-spam package we are using. And possibly one on a monitoring package, to help keep track of when it is up. There may be others as well.

Oh, and for full redundancy, you'll probably want to set up at least two separate sites. So, double most of the above. (We'll use the same admins for both.)

Hmm. Haven't talked backups yet. That's probably going off-site. A few more computers, a tape machine, off-site transport, admins to run all of it...

Seriously. You have troops, agents and all. Just shoot them. And if they are in another country, and that country refuses to extradite them, invade 'em. It's what you do best, and for once, everybody on the whole world could agree. Even North Korea and the Taliban. ^^

Cops and prisons exist for a set of very real reasons. Applying technical 'fixes' to what is a criminal enterprise is like busting your ass building ever higher and ever thicker walls around your house: If you don't deal with the root of the problem, the criminals themselves, all you're doing is delaying the inevitable.

Everybody up to this point has been engrossed in spending all this time and money building ever higher and ever futile walls, ceding the world of the Internet to the criminals while we try to make our tiny little pieces of turf 'safe.'

This could be useful. It will result in an official DoD list of known spammers. That will make prosecutions easier. And the "attack on Government computer" provision in the Computer Crime Act will apply.

If someone from DISA pushes hard enough, the FBI can be tasked to take down the top spammers. It doesn't matter where they are; if the U.S. Government is annoyed enough with them, they can be shut down. That's what the State Department is for.